Use os.path.join() instead of string concatenation in actions

Presence of / in action is not a problem at is check for early. Any other tricks are secured against by the realpath() check immediately afterwards.
2026-06-03 10:50:20 +00:00 · 2014-08-17 19:40:58 +05:30 · 2014-08-17 19:40:58 +05:30 · 4387c28495
commit 4387c28495
parent 642a4e10ff
1 changed files with 1 additions and 1 deletions
--- a/actions.py
+++ b/actions.py
@ -113,7 +113,7 @@ def _run(action, options=None, async=False, run_as_root=False):
    if os.sep in action:
        raise ValueError("Action can't contain:" + os.sep)

-    cmd = cfg.actions_dir + os.sep + action
+    cmd = os.path.join(cfg.actions_dir, action)
    if not os.path.realpath(cmd).startswith(cfg.actions_dir):
        raise ValueError("Action has to be in directory %s" % cfg.actions_dir)